Most of our HP workstations have AMT. Our management has decreed that we disable AMT based on the recent security advisory. We've never provisioned our systems. We struggled through running the tools in May to pull inventory on affected systems and deployed updated firmware from HP. The whole experience was exhausting.

I've read some posts that suggest to disable AMT we need to remove the LMS service as well as delete LMS.exe. In our inventory, only some of our newer systems are running LMS. Is there an alternative way to disable AMT (short of accessing the BIOS of each system) on all our workstations?

Will ACUConfig.exe offer protection? Should I setup SCS to disable AMT?

On the page, there is also an HP BCU User Guide link, you can use this for reference.

1. You'll need to verify the settings on each of the computers because the verbiage in the BIOS differs from model to model. You can run the tool and do a "get" command on each of the models to find out the correct verbiage.2. Once you find the correct verbiage, you would remotely call WMI to disable AMT on the system. You can use powershell to do this.

Hi Phil,If someone has:1. Physical access to the system2. Is knowledgeable enough to access MEBx3. MEBx password is set to default and has not been changed.then they would be able to re-enable AMT using the default admin password.

There are three ways to change the digest admin default password (in order of simple to complex):1. Physically on the system, accessing MEBx and changing password.2. Configuration via USB Key, which begins in section 1.4.2 of the SCS User Guide - Physical access to the system is required for this method.3. Remote Configuration (best solution if you have many systems or if they are remote but are on your domain). More details begin at section 1.4.4 of the SCS User Guide.

For remote configuration, a specific AMT certificate from one of the certificate authorities is required. As mentioned in the previous post, there is only one way to perform a remote configuration where the MEBx password can be changed, which is the aforementioned method. You will be unable to perform this change remotely without one.

The certificate would reside on the RCS Server in the certificate store of the service account running the RCSServer service. Once you open the certificate snap-in for that account, you will find the certificate in the personal store. You would then be able to look at the certificate subject and match it against the OU string: Intel(R) Client Setup Certificate